Analysis
-
max time kernel
156s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
29-07-2022 03:56
Behavioral task
behavioral1
Sample
28412b0f3a3010be0e140bcd1843ae8a.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
28412b0f3a3010be0e140bcd1843ae8a.exe
Resource
win10v2004-20220721-en
General
-
Target
28412b0f3a3010be0e140bcd1843ae8a.exe
-
Size
23KB
-
MD5
28412b0f3a3010be0e140bcd1843ae8a
-
SHA1
713ba709aa3639683f3b694e5f39cc70ae64bfc8
-
SHA256
141ebbc7f1ba7e845bffec372dd0fd6deb19827ab5f165b80800ba5d13db3599
-
SHA512
f8630601534848f3b2208773550d2575566441242b310ba314ad4403e4cdb43a6e6b5dc89ee02d896569a6a7221f7c71b6bd2ab5f931e8d3fc6d63cdfee78744
Malware Config
Extracted
njrat
0.7d
HacKed
138.199.47.194:8080
e175a5480e706552178dc58079e250f8
-
reg_key
e175a5480e706552178dc58079e250f8
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1032 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e175a5480e706552178dc58079e250f8.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e175a5480e706552178dc58079e250f8.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
28412b0f3a3010be0e140bcd1843ae8a.exepid process 1940 28412b0f3a3010be0e140bcd1843ae8a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\e175a5480e706552178dc58079e250f8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e175a5480e706552178dc58079e250f8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1032 server.exe Token: 33 1032 server.exe Token: SeIncBasePriorityPrivilege 1032 server.exe Token: 33 1032 server.exe Token: SeIncBasePriorityPrivilege 1032 server.exe Token: 33 1032 server.exe Token: SeIncBasePriorityPrivilege 1032 server.exe Token: 33 1032 server.exe Token: SeIncBasePriorityPrivilege 1032 server.exe Token: 33 1032 server.exe Token: SeIncBasePriorityPrivilege 1032 server.exe Token: 33 1032 server.exe Token: SeIncBasePriorityPrivilege 1032 server.exe Token: 33 1032 server.exe Token: SeIncBasePriorityPrivilege 1032 server.exe Token: 33 1032 server.exe Token: SeIncBasePriorityPrivilege 1032 server.exe Token: 33 1032 server.exe Token: SeIncBasePriorityPrivilege 1032 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
28412b0f3a3010be0e140bcd1843ae8a.exeserver.exedescription pid process target process PID 1940 wrote to memory of 1032 1940 28412b0f3a3010be0e140bcd1843ae8a.exe server.exe PID 1940 wrote to memory of 1032 1940 28412b0f3a3010be0e140bcd1843ae8a.exe server.exe PID 1940 wrote to memory of 1032 1940 28412b0f3a3010be0e140bcd1843ae8a.exe server.exe PID 1940 wrote to memory of 1032 1940 28412b0f3a3010be0e140bcd1843ae8a.exe server.exe PID 1032 wrote to memory of 1744 1032 server.exe netsh.exe PID 1032 wrote to memory of 1744 1032 server.exe netsh.exe PID 1032 wrote to memory of 1744 1032 server.exe netsh.exe PID 1032 wrote to memory of 1744 1032 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28412b0f3a3010be0e140bcd1843ae8a.exe"C:\Users\Admin\AppData\Local\Temp\28412b0f3a3010be0e140bcd1843ae8a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD528412b0f3a3010be0e140bcd1843ae8a
SHA1713ba709aa3639683f3b694e5f39cc70ae64bfc8
SHA256141ebbc7f1ba7e845bffec372dd0fd6deb19827ab5f165b80800ba5d13db3599
SHA512f8630601534848f3b2208773550d2575566441242b310ba314ad4403e4cdb43a6e6b5dc89ee02d896569a6a7221f7c71b6bd2ab5f931e8d3fc6d63cdfee78744
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD528412b0f3a3010be0e140bcd1843ae8a
SHA1713ba709aa3639683f3b694e5f39cc70ae64bfc8
SHA256141ebbc7f1ba7e845bffec372dd0fd6deb19827ab5f165b80800ba5d13db3599
SHA512f8630601534848f3b2208773550d2575566441242b310ba314ad4403e4cdb43a6e6b5dc89ee02d896569a6a7221f7c71b6bd2ab5f931e8d3fc6d63cdfee78744
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD528412b0f3a3010be0e140bcd1843ae8a
SHA1713ba709aa3639683f3b694e5f39cc70ae64bfc8
SHA256141ebbc7f1ba7e845bffec372dd0fd6deb19827ab5f165b80800ba5d13db3599
SHA512f8630601534848f3b2208773550d2575566441242b310ba314ad4403e4cdb43a6e6b5dc89ee02d896569a6a7221f7c71b6bd2ab5f931e8d3fc6d63cdfee78744
-
memory/1032-57-0x0000000000000000-mapping.dmp
-
memory/1032-62-0x0000000075020000-0x00000000755CB000-memory.dmpFilesize
5.7MB
-
memory/1032-65-0x0000000075020000-0x00000000755CB000-memory.dmpFilesize
5.7MB
-
memory/1744-63-0x0000000000000000-mapping.dmp
-
memory/1940-54-0x0000000076A21000-0x0000000076A23000-memory.dmpFilesize
8KB
-
memory/1940-55-0x0000000075020000-0x00000000755CB000-memory.dmpFilesize
5.7MB
-
memory/1940-61-0x0000000075020000-0x00000000755CB000-memory.dmpFilesize
5.7MB